Excerpt from the book "Configuring IPCop Firewalls: Closing Borders with Open Source"

Excerpt from the book Configuring IPCop Firewalls: Closing Borders with Open Source by Barrie Dempster and James Eaton-Lee. Published by Packt Publishing and reprinted with permission. All rights reserved. IPCop is a firewall for the Small Office/Home Office (SOHO) network, which is extremely easy to use and is released under the GNU General Public License (GPL). This excerpt

Topology Two: NAT Firewall with DMZ

In a small office situation with a growing company, the need for incoming email might force the activation of the Orange zone, and the deployment and installation of a mail server in this segment.

Such a company might choose to keep its Desktop and Internal Server infrastructure within the Green network segment and put their its server in the DMZ on a switch/hub, or simply attached to the Orange interface of the IPCop host using a crossover cable. As such systems are exposed to the Internet, this segmentation provides a considerable advantage by providing a 'stop line' past which it would be harder for an intruder to escalate his or her access to the network.

Microsoft's Exchange mail server has for some time supported such a configuration through the use of the 'front end' and 'back end' exchange roles (although these roles will be deprecated with future Exchange releases). With a different network configuration however, such as Linux clients using a management system such as Novell's eDirectory or RedHat's Directory Server (RHDS), or a filtering appliance, a similar system with externally-facing SMTP servers (perhaps running the open-source MTA exim) would be equally beneficial.

In this topology, Clients are freely able to connect to the mail server (whether via POP, IMAP, RPC, or RPC over HTTP). In order for a mail server that exists as part of the network domain to authenticate to the directory server, we would also need to open the appropriate ports (contingent upon the directory provider) to the directory server using the DMZ Pinholes feature.

We also have a Port Forwarding rule set up from the external IP address of the IPCop firewall to port 25 on the mail server. This allows external mail servers to connect to the mail server in order to deliver email.

In this topology, a compromise of the mail server (which in the Green segment could compromise the entire network segment) is controlled, as there is some level of protection provided by the firewall.

In such a topology, we use the following capabilities of the IPCop Firewall:

Red, Orange, Green zones

DMZ Pinholes

DHCP Server

DNS Server

Port Forwarding to Orange segment

We might also choose to employ any of the following elements of functionality:

IPSec for remote access to Servers in the Green and Orange segment or for external support

Back-end mail server with mailboxes in the Green zone, using the Server in the Orange zone as a relay, performing anti-spam and anti-virus scanning/filtering

Topology Three: NAT Firewall with DMZ and Wireless

In a larger organization, or if the network above grew, we might choose to expand our network topology using one or more IPCop firewalls.

Several IPCop firewalls might be used by such an individual in order to separate several sites, or in order to further segregate one or more DMZs with physically distinct firewalls.

It is also worth considering that IPCop is designed primarily for networks in which it is the only network firewall, in the Small and Medium Business, and Home/Home Office market. Although it is possible to set IPCop up in larger deployments, this is fairly rare, and there are other packages that are arguably more suited to such deployments. In such circumstances, the constraints of IPCop's network segmentation begin to be more burdensome than they are convenient, and the amount of work required to tailor IPCop to meet an organization's needs may exceed the work it would take to manually set up another firewall package to suit the same topology.

In this example, we will consider the broadest scope in which one IPCop box could be deployed, using all four network interfaces to protect a network with an internal (Green) network, an Internet or WAN connection (Red), a DMZ containing more than one Server (Orange), and a wireless segment (Blue) with an IPSec VPN system.

In such a situation, we would almost certainly choose to deploy all of the higher-end features that IPCop contains, such as the Proxy Server and the Intrusion Detection System.

In this situation, the services we are providing for individual network interfaces are as follows:

On the Red Interface, in addition to the default firewalling policy, we are invoking the Port Forwarding feature to allow connections to the mail server on port 25 in the DMZ, and also to port 443 (https) on the mail server in order to allow connections to the business webmail system. We are also allowing incoming IPSec connections to the IPCop firewall in order to allow remote access to staff who work remotely and to provide remote connectivity for support purposes for the IT Staff and third-party software and hardware vendors.

On the Blue interface, we are providing connectivity via an IPSec VPN for clients in order that they can access services run from Servers internally on the Green segment and DMZ segment. Vendors and visitors are allowed access to the Green segment through use of WPA in pre-shared key mode configured on the wireless access point.

WPA-PSK with solely an access point prevents access to the wireless segment and the Internet by unauthorized users, and is an adequate solution for most small and medium networks; use of a newer, WPA2-PSK-capable access point increases this security more for those without an access point or network infrastructure implementing RADIUS or Certificate Services.

The firewalling policy and IPSec system ensures that visitors/vendors only have access to the Red zone (the Internet), and not to any of the resources on the network.

On the Orange interface, our pinholes allow the DMZ servers to connect to a directory server and Kerberos domain controller in the Green segment in order to authenticate users logging onto them via the company directory system. This ensures that the policy and configuration for these Servers is managed centrally, and that there are logs stored centrally for them, but the damage that could be caused by a compromise of these externally-facing services is greatly minimized, ensuring business security and regulatory compliance.

On the Green interface, we allow connectivity to all interfaces, as workstations and Servers within the Green segment are managed service workstations on which users do not have the necessary level of access to cause damage to the resources to which they have access.

In such a situation, we are making use of the following IPCop features:

Red, Orange, Green, Blue zones

DMZ Pinholes

DHCP Server

DNS Server

Port Forwarding to Orange segment

IPSec for remote access to Green, Orange, Blue segments

IPSec for access to internal resources by Blue users

Intrusion Detection System

Port Forwarding to web server on the Mail server externally

Proxy Server (for desktop Internet access)

In a larger organization, we may also choose to use IPSec in site-to-site mode in order to link this office with one or more branch or parent offices. In this role as in the role of a single network firewall, IPCop excels.

Small Office/Home Office maybe buy home user like me do not use a firewall, I think firewall are only for corps. It is not a big deal to implement a firewall on my home computer. I use linux. I just never got DoS attacks on my home computer.

I use an Ipcop firewall at home. It runs great on an old k6 and protects both wired and wireless networks. In Ipcop-speak, this is a Red-Green-Blue network, where red=external, green=wired, blue=wireless. The firewall rules are very thorough and extensible. It was easy to set up for what it does. It does DHCP, has a caching proxy server, an intrusion detection system, NTP server, etc. It is also very secure. My wife has a firewall on her wireless XP laptop and almost nothing ever hits it. This is a very polished, easy to use firewall distribution and you cannot beat the price.

I would not go online without some sort of hardware firewall. And Ipcop beats limited consumer routers hands down. All you need is an older PC and a couple of network cards. And if you want to connect to a VPN or have a DMZ, Ipcop boxes are way less expensive than commercial solutions.